They sit off in the corner, some of them collecting dust. Yet, a printer is a legitimate attack surface. Many companies don’t bother to update the firmware on older models, or don’t include every model in a security audit (such as the one in the CEO’s office everyone forgot about), or the organization assumes a hacker won’t bother with an Epson or HP that is barely even connected to Wi-Fi.
Interestingly enough, because a printer is so innocuous and seemingly harmless, that’s the exact reason it poses a threat, according to the security analysts who talked to CSO about this issue. Sometimes, the best attack vector for an attacker is the one no one bothers to think about. However, a recent IDC survey found that 35 percent of all security breaches in offices were traced back to an unsecured printer or multi-function device, costing companies $133,800 each year.
Why the threat is serious
As with any vulnerability, a printer fits into that category of “fringe” devices you might not consider. Enterprise security tools protect networks and laptops; they often do not block access from a printer that is outdated and runs the original firmware that shipped with the product.
“Printers at first may seem like a benign issue, however you have to remember that they are mini-computers,” says Chris Vickery, a white hat hacker and Security Researcher at MacKeeper. “Getting control of a printer within an organization can provide a foothold for further attacks and a position to ‘pivot’ out of into networks.”
The most serious threat has to do with an attacker gaining access to the network through the printer. Other issues include capturing every document sent to the printer, which could be a serious business intelligence compromise. Vickery said another recent incident involved sending a white supremacist document to thousands printers that did not block a specific port.
Chris Vickery, a white hat hacker and Security Researcher at MacKeeper
Arianna Valentini, a security researcher with IDC, said that apart from the actual hacks into the printer itself, another security concern has to do with documents left unattended. Many older models do not use any security related to only printing when someone enters a password at the device itself. Corporate users tend to print and forget the documents. This makes it all too easy for a thief to steal the documents, digitize them, and sell company secrets.
Vickery says this problem arose partly due to neglect (printers sitting idle in a corner) and partly due to how the printer companies failed to protect the devices. He says one of the biggest innovations in printer security was in using password protections on printers by default (that is, the devices are shipped with passwords enabled). That doesn’t help with the millions of older models that still rely on the default firmware that do not use passwords, however.
Lawrence Pingree, a security researcher at Gartner, says printers pose one additional threat. An organization in the healthcare or finance sectors, where regulatory compliance is required, a printer is also subject to any inquiries – it poses a compliance risk just as much as a laptop.
The experts all said the printer security issue is not brand specific. There is a widespread problem of older printers from Canon, Xerox, HP, and many others that merely use the default firmware or don’t use any password protection for print jobs, and yet are attached to corporate networks, either through a LAN connection or over Wi-Fi.
Vickery did mention there have been reports of printer security issues with HP models, but that may have more to do with the popularity of that brand. As a result, HP has also stepped up their security, according to Pingree, mostly as a response to the potential for hacking.
[ MORE: Cloud Printers Rain on Security Parade ]
Vickery says there is a new vulnerability related to Ricoh printers. He says every Ricoh printer has a backdoor admin account. To use this account, you login as supervisor with no password. At this point, you can then change the main admin password. Once you have access to the admin account, you can then change the firmware and potentially install a Trojan firmware.
Shortly after this story was published, Ricoh reached out to CSO to dispute Vickery's comments. As they see it, calling the Supervisor account (no password by default) a backdoor was unfair, given that this account, as well as the default administrator settings, are widely known and listed in the product manual. Ricoh also says that customers are told in the manual to configure both the Supervisor and Administrator accounts upon installation.
In addition, their statement adds, Ricoh devices have additional security settings, such as signed firmware, designed to prevent malicious actors from installing specially crafted firmware to the device. When asked if it was possible for an attacker to imitate authentic firmware, Ricoh said it was unlikely. Again, the company cited digital signatures and the use of TPM (trusted platform module) as key protection elements. This is in addition to unique machine language known only by their development team in Japan.
Asked for his reaction to Ricoh's objections, Vickery said that he classifies a backdoor account as one that the average user does not know about, and especially one that allows someone to take over the administrator account.
"The supervisor account falls under both categories. It doesn't matter if Ricoh thinks that people should know about it. Anecdotally, I've never encountered a Ricoh owner that knew that the Supervisor account existed," he said.
"Regarding the firmware issue, their response highlights the exact reason the issue was never released publicly. The demonstrators had reverse engineered Ricoh's software signature. The machine accepts firmware that is properly signed. The public does not have that signature, so the risk is limited to those that have the skills necessary to obtain the signature."
Printer security tips
It’s too easy to suggest one ultimate security tip: Replace outdated printers with newer models that have protection – which would be a nice boon for printer companies. Yet, the technology in recent models has advanced to the point where it is worth considering.
Valentini says new innovations have come just in the past six months. For example, the latest HP PageWide models use a new tech called Sure Start that detects whether the printer is booting using the correct BIOS. An HP Whitelisting feature also checks to make sure the firmware has not been hacked.
Also, Xerox introduced a new feature in March of 2016 that uses encryption for all printing and scanning. Another new feature automatically deletes print jobs at power up, which reduces the likelihood that a hacker could attack a printer that is storing old print jobs.
“We expect to continue to see more product releases from printer manufactures and software vendors who are taking steps to better help organizations enable a secure print environment,” says Valentini.
Pingree adds, other than using some of these innovations, it’s important to see a printer for what it is – another server that is running an operating system and is open to attack. This means securing it just like any other endpoint and treating it as a vulnerability.
He also said it is fairly easy to overlook a common problem; it’s usually the IT admins who configure printers, and they might do so using their own credentials, potentially exposing their access privileges. An attacker could conceivably tap in and steal them.
In the end, there are too many options for attack – loading an unauthorized firmware, capturing data from print jobs, or even stealing forgotten docs in the print tray. It’s important to address any possible scenarios, even if the printer then resumes collecting dust.
This story was edited by Steve Ragan on May 10, 2016 to include additional comments from Ricoh.